Great research starts with great data.

Learn More
More >
Patent Analysis of

Secret quotient transfer device, secret bit decomposition device, secret modulus conversion device, secret quotient transfer method, secret bit decomposition method, secret modulus conversion method, and programs therefor

Updated Time 12 June 2019

Patent Registration Data

Publication Number

US10003460

Application Number

US15/025394

Application Date

03 October 2014

Publication Date

19 June 2018

Current Assignee

NIPPON TELEGRAPH AND TELEPHONE CORPORATION

Original Assignee (Applicant)

NIPPON TELEGRAPH AND TELEPHONE CORPORATION

International Classification

H04L9/08,G09C1/00

Cooperative Classification

H04L9/085,G09C1/00,H04L2209/46

Inventor

IKARASHI, DAI,KIKUCHI, RYO,HAMADA, KOKI,CHIDA, KOJI

Patent Images

This patent contains figures and images illustrating the invention and its embodiment.

US10003460 Secret quotient transfer device, secret 1 US10003460 Secret quotient transfer device, secret 2 US10003460 Secret quotient transfer device, secret 3
See all images <>

Abstract

A secret quotient transfer device that can reduce the communication cost. On the assumption that u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p, the integers a and 0 are congruent modulo 2u, and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1, the secret quotient transfer device computes a quotient q of the division of a total sum aZ of the sub-shares by p according to q=Σ(i<m)xi mod 2u.

Read more

Claims

1. A secret quotient transfer device comprising: processing circuitry configured to receive a bit representation of each of m sub-shares x0, . . . , xm-1 of an original plain text electronic message from a plurality of devices which perform secret sharing of the sub-shares such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message, and compute a quotient q according to

[Formula45]q=-i<mximod2u,(1)

on the assumption that

[Formula41]xyz

is a symbol that expresses that integers x and z are congruent modulo y, u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula42]a2u0,

the a is expressed as a sum of the m sub-shares x0, . . . , xm-1 as

[Formula43]api<mxi,

a total sum aZ of the sub-shares is expressed as

[Formula44]aZ=i<mxi,

and the q is a quotient of a division of the total sum aZ of the sub-shares by p.

2. A secret bit decomposition device, wherein it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula46]a2u0,

and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula47]api<mxi,

and the secret bit decomposition device comprises: processing circuitry configured to obtain, under a condition that 2ua<p, a duplicate secret sharing value {a}Zp and computes a transformed secret sharing value {a′}Zp (=2u×Zp{a}Zp) by a secret computation of public value multiplication, wherein a plurality of devices perform secret sharing of sub-shares of the original plain text electronic message a such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message a;determine a lower bit sharing value

[ri]Z2u  [Formula 48] by distributing u bits beginning with a 0-th bit of a j-th sub-share {a′}Zp<j> of the transformed secret sharing value for all i that satisfies a condition that i<m;determine a higher bit sharing value

[qi]Z2l  [Formula 49] by distributing 1 bits beginning with an u-th bit of the j-th sub-share {a′}Zp<j> of the transformed secret sharing value for all i that satisfies a condition that i<m; compute a lower bit sum value

[Formula50]i<m[ri]<none/>Z2u<mprescripts/>Z22u<none/>

by a secret computation by an adding circuit,it being assumed that lower u bits of the lower bit sum value is denoted as,

[ru]Z2u  [Formula 51] and higher u bits of the lower bit sum value is denoted as

[qu]Z2u  [Formula 52] obtain the lower u bits of the lower bit sum value and compute a zero determination value [[ru≠0]]Z2 by a secret computation by a zero determining circuit; and obtain the higher bit sharing value, the higher u bits of the lower bit sum value and the zero determination value for all i that satisfies a condition that i<m, computes a sequence of secret sharing bit values

[Formula53][amod2l]Z2l=i<m[qi]<none/>Z2l<mprescripts/>Z2l<none/>+Z2l[qu]Z2u+Z2l[[ru0]]Z2

by a secret computation by the adding circuit, and output the computation result.

3. A secret modulus conversion device, wherein it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula54]

a2u0,

and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula55]

api<mxi,

and the secret modulus conversion device comprises: a public value multiplying secret computation part that, under a condition that 2ua<p, obtains a duplicate secret sharing value {a}Zp mod p and computes a transformed secret sharing value {a′}Zp (=2u×Zp{a}Zp) by a secret computation of public value multiplication, wherein a plurality of devices perform secret sharing of sub-shares of the original plain text electronic message a such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message a;a modulus lower bit distribution part that determines a modulus lower bit sharing value

[ri]Z2u  [Formula 57]by distributing u bits beginning with a 0-th bit of a share of an i-th party

Z2u{a′}iZp mod 2u[Formula 56] of a transformed modulus secret sharing value for all i that satisfies a condition that i<m; a modulus lower bit addition part that computes a lower bit sum value

[Formula58]

i<mZ2u[ri]Z2u

by a secret computation by an adding circuit for all i that satisfies a condition that i<m and designates the computation result as a linear secret sharing value of a quotient

[q]Z2u;  [Formula 59] a conversion processing part that performs a predetermined conversion processing, such as a conversion of mod 2→mod p′, on the linear secret sharing value of the quotient to determine a converted linear secret sharing value {q}− of the quotient;a retransformation part that computes a retransformed secret sharing value mod p′

{a′p′}iZp′  [Formula 61]of the transformed secret sharing value

{a′}iZp  [Formula 60] for all i that satisfies a condition that i<m; anda modulus differential part that obtains the retransformed secret sharing value and the converted linear secret sharing value of the quotient, performs a differential computation

2−u×Zp′({a′p′}Zp′Zp′p{q}Zp′)  [Formula 62] by a secret computation of addition and public value multiplication, and outputs the computation result.

4. A secret quotient transfer method, implemented by a secret quotient transfer device, comprising: receiving, by processing circuitry of the secret quotient transfer device, a bit representation of each of m sub-shares x0, . . . , xm-1 of an original plain text electronic message from a plurality of devices which perform secret sharing of the sub-shares such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message; and computing, by the processing circuitry, a quotient q according to

[Formula67]q=-i<mximod2u,(1)

on the assumption that

[Formula63]

xyz

is a symbol that expresses that integers x and z are congruent modulo y, u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula64]

a2u0,

the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula65]

api<mxi,

a total sum aZ of the sub-shares is expressed as

[Formula66]

aZ=i<mxi,

and the q is a quotient of a division of the total sum aZ of the sub-shares by p.

5. A secret bit decomposition method, implemented by a secret bit decomposition device, wherein it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula68]

a2u0,

and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula69]

api<mxi,

and the secret bit decomposition method comprises: a public value multiplying secret computation step of, under a condition that 2u a<p, obtaining, by processing circuitry of the secret bit decomposition device, a duplicate secret sharing value {a}Zp and computing a transformed secret sharing value {a′}Zp (=2u×Zp{a}Zp) by a secret computation of public value multiplication, wherein a plurality of devices perform secret sharing of sub-shares of the original plain text electronic message a such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message a;a lower bit distribution step of determining, by the processing circuitry, a lower bit sharing value

[ri]Z2u  [Formula 70] by distributing u bits beginning with a 0-th bit of a j-th sub-share {a′}Zp<j> of the transformed secret sharing value for all i that satisfies a condition that i<m;a higher bit distribution step of determining, by the processing circuitry, a higher bit sharing value

[qi]Z2l  [Formula 71] by distributing 1 bits beginning with an u-th bit of the j-th sub-share {a′}Zp<j> of the transformed secret sharing value for all i that satisfies a condition that i<m; a lower bit addition step of computing a lower bit sum value

[Formula72]

i<mZ22u[ri]Z2u

by a secret computation by an adding circuit,it being assumed that lower u bits of the lower bit sum value is denoted as,

[ru]Z2u  [Formula 73]and higher u bits of the lower bit sum value is denoted as

[qu]Z2u;  [Formula 74] a zero determination step of obtaining the lower u bits of the lower bit sum value and computing a zero determination value [[ru≠0]]Z2 by a secret computation by a zero determining circuit; and a higher bit addition step of obtaining the higher bit sharing value, the higher u bits of the lower bit sum value and the zero determination value for all i that satisfies a condition that i<m, computing a sequence of secret sharing bit values

[Formula75][amod2l]Z2l=i<mZ2l[qi]Z2l+z2l[qu]Z2u+Z2l[[ru0]]Z2

by a secret computation by the adding circuit, and outputting the computation result.

6. A secret modulus conversion method, implemented by a secret modulus conversion device, wherein it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula76]

a2u0,

and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula77]

api<mxi,

and the secret modulus conversion method comprises: a public value multiplying secret computation step of, under a condition that 2ua<p, obtaining, by processing circuitry of the secret modulus conversion device, a duplicate secret sharing value {a}Zp mod p and computing a transformed secret sharing value {a′}Zp (=2u×Zp{a}Zp) by a secret computation of public value multiplication wherein a plurality of devices perform secret sharing of sub-shares of the original plain text electronic message a such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message a;a modulus lower bit distribution step of determining, by the processing circuitry, a modulus lower bit sharing value

[ri]Z2u  [Formula 79]by distributing u bits beginning with a 0-th bit of a share of an i-th party

Z2u{a′}iZp mod 2u  [Formula 78]of a transformed modulus secret sharing value for all i that satisfies a condition that i<m; a modulus lower bit addition step of computing, by the processing circuitry, a lower bit sum value

[Formula80]

i<mZ2u[ri]Z2u

by a secret computation by an adding circuit for all i that satisfies a condition that i<m and designating the computation result as a linear secret sharing value of a quotient

[q]Z2u;  [Formula 81] a conversion processing step of performing, by the processing circuitry, a predetermined conversion processing, such as a conversion of mod 2→mod p′, on the linear secret sharing value of the quotient to determine a converted linear secret sharing value {q}Zp′ of the quotient;a retransformation step of computing, by the processing circuitry, a retransformed secret sharing value mod p′

{a′p′}iZp′  [Formula 83]of the transformed secret sharing value

{a′}iZp  [Formula 82] for all i that satisfies a condition that i<m; anda modulus differential step of obtaining, by the processing circuitry, the retransformed secret sharing value and the converted linear secret sharing value of the quotient, performing a differential computation

2−u×Zp′({a′p′}Zp′Zp′p{q}Zp′)  [Formula 84] by a secret computation of addition and public value multiplication, and outputting the computation result.

7. A non-transitory computer readable medium storing a computer program that makes a secret quotient transfer device perform a method comprising receiving, by processing circuitry of the secret quotient transfer device, a bit representation of each of m sub-shares x0, . . . , xm-1 of an original plain text electronic message from a plurality of devices which perform secret sharing of the sub-shares such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message; and computing a quotient q according to

[Formula67]q=-i<mximod2u,(1)

on the assumption that

[Formula63]

xyz

is a symbol that expresses that integers x and z are congruent modulo y, u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula64]

a2u0,

the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula65]

api<mxi,

a total sum aZ of the sub-shares is expressed as

[Formula66]

aZ=i<mxi,

and the q is a quotient of a division of the total sum aZ of the sub-shares by p.

8. A non-transitory computer readable medium storing a computer program that makes a computer function as a secret bit decomposition device perform a method wherein it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula68]

a2u0,

and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula69]

api<mxi,

the method comprising: a public value multiplying secret computation step of, under a condition that 2ua<p, obtaining, by processing circuitry of the secret bit decomposition device, a duplicate secret sharing value {a}Zp and computing a transformed secret sharing value {a′}Zp (=2u×Zp{a}Zp) by a secret computation of public value multiplication, wherein a plurality of devices perform secret sharing of sub-shares of the original plain text electronic message a such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message a;a lower bit distribution step of determining, by the processing circuitry, a lower bit sharing value

[ri]Z2u  [Formula 70] by distributing u bits beginning with a 0-th bit of a j-th sub-share {a′}Zp<j> of the transformed secret sharing value for all i that satisfies a condition that i<m,a higher bit distribution step of determining, by the processing circuitry, a higher bit sharing value

[qi]Z2l  [Formula 71] by distributing 1 bits beginning with an u-th bit of the j-th sub-share {a′}Zp<j> of the transformed secret sharing value for all i that satisfies a condition that i<m; a lower bit addition step of computing a lower bit sum value

[Formula72]

i<mZ22u[ri]Z2u

by a secret computation by an adding circuit,it being assumed that lower u bits of the lower bit sum value is denoted as,

[ru]Z2u  [Formula 73]and higher u bits of the lower bit sum value is denoted as

[qu]Z2u;  [Formula 74] a zero determination step of obtaining the lower u bits of the lower bit sum value and computing a zero determination value [[ru≠0]]Z2 by a secret computation by a zero determining circuit and a higher bit addition step of obtaining the higher bit sharing value, the higher u bits of the lower bit sum value and the zero determination value for all i that satisfies a condition that i<m, computing a sequence of secret sharing bit values

[Formula75][amod2l]Z2l=i<mZ2l[qi]Z2l+Z2l[qu]Z2u+Z2l[[ru0]]Z2

by a secret computation by the adding circuit, and outputting the computation result.

9. A non-transitory computer readable medium storing a computer program that makes a secret modulus conversion device perform a method wherein it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

[Formula76]

a2u0,

and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

[Formula77]

api<mxi,

the method comprising: a public value multiplying secret computation step of, under a condition that 2ua<p, obtaining, by processing circuitry of the secret modulus conversion device, a duplicate secret sharing value {a}Zp mod p and computing a transformed secret sharing value {a′}Zp (=2u×Zp{a}Zp) by a secret computation of public value multiplication, wherein a plurality of devices perform secret sharing of sub-shares of the original plain text electronic message a such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message a;a modulus lower bit distribution step of determining, by the processing circuitry, a modulus lower bit sharing value

[ri]Z2u  [Formula 79]by distributing u bits beginning with a 0-th bit of a share of an i-th party

Z2u{a′}iZp mod 2u  [Formula 78] of a transformed modulus secret sharing value for all i that satisfies a condition that i≤m; a modulus lower bit addition step of computing, by the processing circuitry, a lower bit sum value

[Formula80]

i<mZ2u[ri]Z2u

by a secret computation by an adding circuit for all i that satisfies a condition that i<m and designating the computation result as a linear secret sharing value of a quotient

[qu]Z2u;  [Formula 81] a conversion processing step of performing, by the processing circuitry, a predetermined conversion processing, such as a conversion of mod 2→mod p′, on the linear secret sharing value of the quotient to determine a converted linear secret sharing value {q}Zp′ of the quotienta retransformation step of computing, by the processing circuitry, a retransformed secret sharing value mod p′

{a′p′}iZp′  [Formula 83]of the transformed secret sharing value

{a′}iZp  [Formula 82] for all i that satisfies a condition that i<m; anda modulus differential step of obtaining the retransformed secret sharing value and the converted linear secret sharing value of the quotient, performing a differential computation

2−u×Zp′({a′p′}Zp′Zp′p{q}Zp′)  [Formula 84] by a secret computation of addition and public value multiplication, and outputting the computation result.

Read more

Claim Tree

  • 1
    1. A secret quotient transfer device comprising:
    • processing circuitry configured to receive a bit representation of each of m sub-shares x0, . . . , xm-1 of an original plain text electronic message from a plurality of devices which perform secret sharing of the sub-shares such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message, and compute a quotient q according to [Formula45]q=-i<
    • mximod2u,(1) on the assumption that [Formula41]xyz is a symbol that expresses that integers x and z are congruent modulo y, u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula42]a2u0, the a is expressed as a sum of the m sub-shares x0, . . . , xm-1 as [Formula43]api<
    • mxi, a total sum aZ of the sub-shares is expressed as [Formula44]aZ=i<
    • mxi, and the q is a quotient of a division of the total sum aZ of the sub-shares by p.
    • 2
      2. A secret bit decomposition device, wherein
      • it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula46]a2u0, and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula47]api<mxi, and the secret bit decomposition device comprises:
    • 3
      3. A secret modulus conversion device, wherein
      • it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula54] a2u0, and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula55] api<mxi, and the secret modulus conversion device comprises:
    • 4
      4. A secret quotient transfer method, implemented by a secret quotient transfer device, comprising:
      • receiving, by processing circuitry of the secret quotient transfer device, a bit representation of each of m sub-shares x0, . . . , xm-1 of an original plain text electronic message from a plurality of devices which perform secret sharing of the sub-shares such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message
      • and computing, by the processing circuitry, a quotient q according to [Formula67]q=-i<
      • mximod2u,(1) on the assumption that [Formula63] xyz is a symbol that expresses that integers x and z are congruent modulo y, u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula64] a2u0, the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula65] api<
      • mxi, a total sum aZ of the sub-shares is expressed as [Formula66] aZ=i<
      • mxi, and the q is a quotient of a division of the total sum aZ of the sub-shares by p.
      • 5
        5. A secret bit decomposition method, implemented by a secret bit decomposition device, wherein
        • it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula68] a2u0, and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula69] api<mxi, and the secret bit decomposition method comprises:
      • 6
        6. A secret modulus conversion method, implemented by a secret modulus conversion device, wherein
        • it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula76] a2u0, and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula77] api<mxi, and the secret modulus conversion method comprises:
      • 7
        7. A non-transitory computer readable medium storing a computer program that makes a secret quotient transfer device perform a method comprising
        • receiving, by processing circuitry of the secret quotient transfer device, a bit representation of each of m sub-shares x0, . . . , xm-1 of an original plain text electronic message from a plurality of devices which perform secret sharing of the sub-shares such that each sub-share is concealed within each respective one of the plurality of devices and at least a sub-set of the plurality of devices are required to reconstruct the original plain text electronic message
        • and computing a quotient q according to [Formula67]q=-i<
        • mximod2u,(1) on the assumption that [Formula63] xyz is a symbol that expresses that integers x and z are congruent modulo y, u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula64] a2u0, the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula65] api<
        • mxi, a total sum aZ of the sub-shares is expressed as [Formula66] aZ=i<
        • mxi, and the q is a quotient of a division of the total sum aZ of the sub-shares by p.
        • 8
          8. A non-transitory computer readable medium storing a computer program that makes a computer function as a secret bit decomposition device perform a method wherein
          • it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula68] a2u0, and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula69] api<mxi, the method comprising:
        • 9
          9. A non-transitory computer readable medium storing a computer program that makes a secret modulus conversion device perform a method wherein
          • it is assumed that p denotes a Mersenne prime number, m denotes an integer that satisfies a relation m≤2u, a boundary value u that is a natural number is denoted as ┌log m┐, i denotes an integer from 0 to m−1, j denotes an integer from 0 to m−1, [P] denotes an operator that converts whether any proposition P is true or false into an integer, a linear secret sharing value of a plain text a is denoted as [a], a duplicate secret sharing value of the plain text a is denoted as {a}, the plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation [Formula76] a2u0, and the plain text a is expressed as a sum of m sub-shares x0, . . . , xm-1 as [Formula77] api<mxi, the method comprising:
        • See all independent claims <>

          Description

          TECHNICAL FIELD

          The present invention generally relates to a technical field of secret computation that involves processing data while concealing the data by secret sharing and, in particular, to a secret quotient transfer device, a secret bit decomposition device, a secret modulus conversion device, a secret quotient transfer method, a secret bit decomposition method, a secret modulus conversion method, and programs therefor.

          BACKGROUND ART

          In the technical field of secret computation that involves processing data while concealing the data by secret sharing, there is a known conventional technique (referred to as “share quotient computation”) that involves determining a quotient q of the division by a value p of a sum aZ of a sequence of distributed numbers x0, . . . , xm-1 that are smaller than an arbitrary modulo p (that is, a value q in an expression aZ=a+qp, where 0≤a<p, and 0≤q<m):

          [Formula1]aZ:=i<mxi

          A technique that achieves the share quotient computation is bit decomposition (Non-patent literature 1).

          PRIOR ART LITERATURE

          • [Non-Patent Literature]

          Non-patent literature 1: I. Damgard, M. Fitzi, E. Kiltz, J. B. Nielsen, and T. Toft, Unconditionally secure constant-rounds multi-party computation for equality, comparison, bits and exponentiation. In S. Halevi and T. Rabin eds, TCC, Vol. 3876 of Lecture Notes in Computer Science, pp. 285-304 Springer, 2006.

          SUMMARY OF THE INVENTION

          Problems to be Solved by the Invention

          The conventional technique described above has a problem that, provided that the value p has a bit length of |p|, the traffic is O (|p|2) bits, and the communication cost is high. In view of such circumstances, an object of the present invention is to provide a secret quotient transfer device that can reduce the communication cost.

          Means to Solve the Problems

          A secret quotient transfer device according to the present invention computes a quotient q according to

          [Formula6]q=-i<mximod2u,(1)

          on the assumption that

          [Formula2]xyz

          is a formula that expresses that integers x and z are congruent modulo y, u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p and satisfies a relation

          [Formula3]a2u0,

          a is expressed as a sum of m sub-shares x0, . . . , xm-1 as

          [Formula4]api<mxi,

          a total sum aZ of the sub-shares is expressed as

          [Formula5]aZ=i<mxi,

          and q is a quotient of the division of the total sum aZ of the sub-shares by p.

          Effects of the Invention

          The secret quotient transfer device according to the present invention can reduce the communication cost.

          BRIEF DESCRIPTION OF THE DRAWINGS

          FIG. 1 is a block diagram showing a configuration of a secret quotient transfer device according to a first embodiment;

          FIG. 2 is a flowchart showing an operation of the secret quotient transfer device according to the first embodiment;

          FIG. 3 is a block diagram showing a configuration of a linear duplicate conversion device;

          FIG. 4 is a flowchart showing an operation of the linear duplicate conversion device;

          FIG. 5 is a block diagram showing a configuration of a secret bit decomposition device according to a second embodiment;

          FIG. 6 is a flowchart showing an operation of the secret bit decomposition device according to the second embodiment;

          FIG. 7 is a block diagram showing a configuration of a secret bit decomposition device according to a first modification;

          FIG. 8 is a block diagram showing a configuration of a secret modulus conversion device according to a third embodiment;

          FIG. 9 is a flowchart showing an operation of the secret modulus conversion device according to the third embodiment; and

          FIG. 10 is a block diagram showing a configuration of a secret modulus conversion device according to a second modification.

          DETAILED DESCRIPTION OF THE EMBODIMENTS

          In the following, embodiments of the present invention will be described in detail. The components having the same functions are denoted by the same reference numerals, and redundant descriptions thereof will be omitted.

          First Embodiment

          Description of Terms

          In the following, terms used in this specification will be described.

          [semi-honest]

          “Semi-honest” means that an attacker peeps at data but performs a correct processing.

          [malicious]

          “Malicious” means that an attacker performs any unauthorized operation.

          <Notation>

          In the following, a notation commonly used in this specification will be described.

          [Formula7]xyz

          means that integers x and z are congruent modulo y. For any proposition P, [P] denotes an operator that converts whether the proposition P is true or false into an integer. Typically, the operator returns 1 if P is true and 0 if P is false.

          <Assumption>

          In the present invention, in general, it is assumed that a data type that represents a number smaller than p actually stores a context-dependent number smaller than M. For example, with a common computer, a 32-bit integer can store 1-bit data (M=2) that represents “sex”. The number M of bits is denoted as 1. According to the present invention, taking such cases into account, very quick share quotient computation is achieved with a bit traffic (O(l) for |p|) that does not depends on |p|. The speedup of the share quotient computation leads to speedup of many processings in the field of secret computation, such as bit decomposition and modulus conversion.

          <Secret Quotient Transfer Device 1>

          In the following, a secret quotient transfer device according to a first embodiment will be described with reference to FIGS. 1 and 2. FIG. 1 is a block diagram showing a configuration of a secret quotient transfer device 1 according to this embodiment. FIG. 2 is a flowchart showing an operation of the secret quotient transfer device 1 according to this embodiment.

          It is assumed that u denotes a natural number and represents a boundary value, m denotes an integer that satisfies a relation m≤2u, i denotes an integer from 0 to m−1, a plain text a is an integer that is equal to or greater than 0 and smaller than an arbitrary modulo p (0≤a<p) and satisfies a relation

          [Formula3]a2u0

          and a is expressed as a sum of x0, . . . , xm-1 as

          [Formula9]api<mxi

          Each item xi is referred to as a sub-share of a, where i denotes an integer on 0 to m−1. A total sum aZ of the sub-shares is expressed as

          [Formula10]aZ=i<mxi,

          and q is a quotient of the division of the total sum aZ by p. The secret quotient transfer device 1 according to this embodiment receives sub-shares transmitted from a plurality of devices. The secret quotient transfer device 1 computes the quotient q according to

          [Formula11]q=-i<mximod2u,(1)

          and outputs the computed quotient q (S1). That is, when the secret quotient transfer device 1 obtains a bit representation of each sub-share xi, the secret quotient transfer device 1 can compute the quotient by passing the lower u bits of the respective bit representations through an adding circuit or a subtracting circuit. With the secret quotient transfer device 1 according to this embodiment, it is to be noted that computation for the bits higher than the u-th bit is not necessary. The secret quotient transfer device 1 and a secret quotient transfer method disclosed in this embodiment have many applications in the field of secret computation that involves performing a processing of secret-shared data while concealing the data. Such applications will be described later with regard to second and third embodiments.

          Before describing those embodiments, secret sharing will be described.

          <(k, n)-Linear Secret Sharing>

          A (k, n)-secret sharing is a data sharing scheme in which a plain text is divided into n shares, which are to be distributed, the plain text can be reconstructed by collecting k of the n shares, and collecting k−1 or less of the n shares do not provide any information on the plain text.

          The (k, n)-linear secret sharing is defined herein as follows. If a function

          [Formula12]SHAREpr:Ri<nRmi

          represents a (k, n)-linear secret sharing, the sequence of coefficients for reconstruction described below exists for an arbitrary injection σ: {0, . . . , k−1→0, . . . , n−1}. σ represents that k shares are arbitrarily selected from among n shares. Note that R denotes a commutative group, and C denotes a set that defines a product of multiplication by R.

          <Reconstruction>

          It is assumed that there is a sequence of coefficients

          [Formula13](λ0,,λk-1)i<kCmσ(i),

          and SHAREpr(a) for any input a in a formula

          [Formula14]i<kj<mσ(j)(λi)j(SHAREpr(a)σ(i))j=a

          is referred to as a linear secret sharing value and denoted as [a]. For each number iφ{0, . . . , n−1}, SHAREpr(a)i is denoted as [a]i and referred to as an i-th share or a share of a party i. The Shamir secret sharing is a representative (k, n)-linear secret sharing. According to the Shamir secret sharing, the sequence of coefficients is Lagrange coefficients in the Lagrange interpolation. Of various types of linear secret sharing, in the present invention, it is assumed that the duplicate secret sharing described below is particularly used.

          <Duplicate Secret Sharing>

          The duplicate secret sharing is the secret sharing described below. First, using m(=nCk-1) elements a0, . . . , am-1 of the commutative group R, the plain text a is expressed as

          [Formula15]a=i<mai

          For each set of k−1 parties (an i-th set of k−1 parties is denoted as Pi), all the parties that do not belong to a party Pi have an element ai. On such an assumption, security is ensured if up to k−1 parties act in collusion, since any set of k−1 parties lack a certain element ai. On the other hand, if k parties are gathered, any element ai is always owned by some party, and therefore, the plain text can be reconstructed. Thus, this is a (k, n)-secret sharing. Each element ai is referred to as a sub-share. According to (2, 3)-duplicate secret sharing, for example, a=a0+a1+a2, and shares of the parties are denoted as (a0, a1), (a1, a2), and (a2, a0).

          A secret sharing value of the duplicate secret sharing is denoted by {a}, and a share of an i-th party is denoted as {a}1. Provided that j denotes an integer from 0 to m−1, a j-th sub-share is denoted as {a}<j>. In a semi-honest protocol according to the present invention, a (k, k)-duplicate secret sharing is used. The (k, k)-duplicate secret sharing has an advantage that it is efficient because only k-person each have one share. The (k, k)-duplicate secret sharing further has another advantage that it can be simply converted offline from any (k, n)-linear secret sharing. That is, k parties (which can be any k parties, although they are described as k parties from a party 0 to a party k−1 in this specification for the sake of simplicity) are arbitrarily selected, and the share of each party i (i<k) according to the (k, k)-duplicate secret sharing can be determined by simply multiplying the share according to the (k, n)-linear secret sharing by a coefficient for reconstruction as follows. {a}ii[a]i

          In the following, a linear duplicate conversion device 2 that uses a (k, n)-duplicate secret sharing according to an anti-malicious protocol that can be used in the present invention will be described with reference to FIGS. 3 and 4. FIG. 3 is a block diagram showing a configuration of the linear duplicate conversion device 2. FIG. 4 is a flowchart showing an operation of the linear duplicate conversion device 2. An input to the linear duplicate conversion device 2 and an output from the linear duplicate conversion device 2 are as follows.

          Input: linear secret sharing value [a]Zp

          Output: duplicate secret sharing value {a}Zp

          As shown in FIG. 3, the linear duplicate conversion device 2 comprises a random number generation part 21, a linear conversion part 22, a differential value computation part 23, a publication part 24, and a summation part 25. The random number generation part 21 generates a duplicate secret sharing random number {r}Zp (S21). The linear conversion part 22 obtains the duplicate secret sharing random number {r}Zp and converts the random number into a linear secret sharing random number [r]Zp (S22). The differential value computation part 23 obtains the linear secret sharing value [a]Zp and the linear secret sharing random number [r]Zp and computes a differential value [a-z]Zp (S23). The publication part 24 publishes the differential value [a-r]Zp in an anti-malicious scheme (see Non-patent literature 1, for example) and obtains a decoded value a-r of the differential value (S24). The summation part 25 obtains the duplicate secret sharing random number {r}Zp and the decoded value a-r of the differential value and determines a duplicate secret sharing value {a}Zp according to an addition (a-r)+{r}Zp={a}Zp (S25). Unlike the (k, k)-duplicate secret sharing, the (k, n)-duplicate secret sharing has an advantage that it can be converted offline into any (k, n)-linear secret sharing (for details, see Reference non-patent literature 1).

          Reference non-patent literature 1: R. Cramer, I, Damgarg, and Y. Ishai, Share conversion, pseudorandom secret-sharing and applications to secure computation. In J. Kilian ed., TCC, Vol. 3378 of Lecture Notes in Computer Science, pp. 342-362. Springer, 2005.

          Second Embodiment

          Secret Bit Decomposition Device

          In the following, a secret bit decomposition device according to a second embodiment will be described with reference to FIGS. 5 and 6. FIG. 5 is a block diagram showing a configuration of a secret bit decomposition device 3 according to this embodiment. FIG. 6 is a flowchart showing an operation of the secret bit decomposition device 3 according to this embodiment. As shown in FIG. 5, the secret bit decomposition device 3 comprises a public value multiplying secret computation part 31, a lower bit distribution part 32, a higher bit distribution part 33, a lower bit addition part 34, a zero determination part 35, and a higher bit addition part 36.

          Bit decomposition is an operation of converting a secret sharing value [a]Zp of a number a smaller than M into a sequence of 1 secret sharing values as follows.

          [a]Z2l=([a0]Z2, . . . ,[al-1]Z2)  [Formula 16]

          In this formula, each of the numbers a0, . . . , a1-1 denotes a bit (0 is the least significant bit) of a binary representation of the number a. [•]Zp and [•]Z2 may be the same type of secret sharing or different types of secret sharing.

          [⋅]Z2l  [Formula 17]

          represents a secret sharing sequence of the type [•]Z2 having a length of 1. The secret computation basically involves addition and multiplication, so that the arithmetic operation is quick, but the result of the arithmetic operation may be a numerical value that exceeds one bit. On the other hand, a logic circuit, which is slow but can perform any processing, receives a 1-bit value as an input and provides a 1-bit value as an output. The bit decomposition is a processing that bridges the two and involves quickly performing an arithmetic operation and then converting the resulting numerical value into a sequence of 1-bit values for any subsequent processing. The bit decomposition is essential for practical secret computation.

          <Secret Bit Decomposition According to Second Embodiment>

          In the following, a secret bit decomposition method performed by the secret bit decomposition device 3 according to this embodiment will be described with reference to FIG. 6. It is assumed that p denotes a Mersenne prime number. That is, p denotes a prime number that satisfies a condition that 2p−1 is a prime number. It is also assumed that (x0, . . . , xm-1) are sub shares of a (0≤a<p). It is also assumed that the boundary value u is denoted as ┌log m┐, qi and ri denote numerical values that represent the u-th and the following bits and the (u−1)-th and the preceding bits of xi, respectively, and qu and ru, denote numerical values that represent the u-th and the following bits and the (u−1)-th and the preceding bits of

          [Formula18]i<kri

          Then, from the formula (1), the following equation holds on the assumption that 1 satisfies a condition that 1+u≤|p|.

          [Formula19]a2li<mqi+qu+[ru0](2)

          From this, an algorithm for duplicate secret sharing according to this embodiment is derived. The algorithm is to compute the formula (2). The traffic is |p| and is O(l) bits for 1, which is independent of p, and the communication is fast.

          The duplicate secret sharing can be converted from any linear secret sharing (Reference non-patent literature 1), and the fact that the input is limited to the format of the duplicate secret sharing is not a limitation in practice.

          An input to the secret bit decomposition device 3 and an output of the secret bit decomposition device 3 are as follows.

          Input: {a}Zp, where 2ua<p

          Output: a sequence of secret sharing bit values

          [a mod 2l]Z2l  [Formula 20]

          Parameters: m represents the number of sub-shares (mφN), u=┌log m┐, and p represents a prime number.

          Under the condition that 2ua<p, the public value multiplying secret computation part 31 obtains the duplicate secret sharing value {a}Zp and computes a transformed secret sharing value {a′}Zp (=2u×Zp{a}Zp) by a secret computation of public value multiplication (S31). For example, for an arbitrary integer b smaller than p, a public value multiplication b×Zp{a}Zp of the duplicate secret sharing is achieved by multiplying each sub-share of {a} by b. A public value multiplication b×Zp[a]Zp of the (k, n)-linear secret sharing is achieved by multiplying each sub-share of [a] by b. The arithmetic symbol “×” or the like described above means that the arithmetic operation is performed separately for each algebraic structure that performs the arithmetic operation. Subsequent steps S32, S33, S34 and S36 are performed for every i that satisfies a condition that i<m. The lower bit distribution part 32 determines a lower bit sharing value

          [ri]Z2u  [Formula 21]

          by distributing u bits beginning with the 0-th bit of a j-th sub-share {a′}zP<j> of the transformed secret sharing value (S32). The higher bit distribution part 33 determines a higher bit sharing value

          [qi]Z2l  [Formula 22]

          by distributing 1 bits beginning with the u-th bit of the j-th sub-share {a′}Zp<j> of the transformed secret sharing value (S33). The lower bit addition part 34 computes a lower bit sum value

          [Formula23]i<m[ri]<none/>Z2u<mprescripts/>Z22u<none/>

          by a secret computation by an adding circuit (S34). In the following, the lower u bits of the lower bit sum value is denoted as,

          [ru]Z2u  [Formula 24]

          and the higher u bits of the same is denoted as

          [qu]Z2u  [Formula 25]

          The zero determination part 35 obtains the lower u bits of the lower bit sum value and computes a zero determination value [[ru≠0]]Z2 by a secret computation by a zero determining circuit (S35). The higher bit addition part 36 obtains the higher bit sharing value, the higher u bits of the lower bit sum value and the zero determination value, computes a sequence of secret sharing bit values

          [Formula26][amod2l]Z2l=i<m[qi]<none/>Z2l<mprescripts/>Z2l<none/>+Z2l[qu]Z2u+Z2l[ru0]Z2

          by a secret computation by the adding circuit, and outputs the result (S36).

          [Modification 1]

          In the following, a secret bit decomposition device 3A, which is a modification of the secret bit decomposition device 3 according to the second embodiment, will be described with reference to FIG. 7. FIG. 7 is a block diagram showing a configuration of the secret bit decomposition device 3A according to this modification. As shown in FIG. 7, in addition to the components described above, the secret bit decomposition device 3A according to this modification comprises the linear duplicate conversion device 2 that is configured to convert the linear secret sharing value described above into a duplicate secret sharing value. Since the secret bit decomposition device 3A comprises the linear duplicate conversion device 2, the secret bit decomposition device 3A can perform secret bit decomposition even if the input to the device is a linear secret sharing value. The secret bit decomposition device 3A according to this modification may perform the secret bit decomposition processing after converting the (k, n)-linear secret sharing into the (k, k)-duplicate secret sharing or perform the secret bit decomposition processing after converting the (k, n)-linear secret sharing into the (k, n)-duplicate secret sharing.

          Third Embodiment

          In the following, a secret modulus conversion device according to a third embodiment will be described with reference to FIGS. 8 and 9. FIG. 8 is a block diagram showing a configuration of a secret modulus conversion device 4 according to this embodiment. FIG. 9 is a flowchart showing an operation of the secret modulus conversion device 4 according to this embodiment. As shown in FIG. 8, the secret modulus conversion device 4 according to this embodiment comprises a public value multiplying secret computation part 41, a modulus lower bit distribution part 42, a modulus lower bit addition part 43, a conversion processing part 44, a retransformation part 45, and a modulus differential part 46.

          A modulus conversion is a processing of converting a secret sharing value in a format of a number smaller than a modulo p into another format of a number smaller than another modulo p′. In a common computer, the modulus conversion corresponds to a format conversion from a 32-bit integer into a 64-bit integer. The modulus conversion is also a processing essential for practical secret computation.

          <Secret Modulus Conversion Method According to Third Embodiment>

          In the following, a secret modulus conversion method performed by the secret modulus conversion device 4 according to this embodiment will be described with reference to FIG. 9. Using the formula (1), an algorithm for duplicate secret sharing according to this embodiment is derived. The traffic is |p| and is O(|p′|) bits for |p′|, which is independent of p, and the communication is fast. The duplicate secret sharing can be converted from any linear secret sharing (for details, see the description of the linear duplicate conversion device 2), and the fact that the input is limited to the format of the duplicate secret sharing is not a limitation in practice. An input to the secret modulus conversion device 4 and an output of the secret modulus conversion device 4 are as follows.

          Input: duplicate secret sharing value {a}Zp mod p, where 2ua<p, and u=┌log m┐

          Output: duplicate secret sharing value {a}Zp′ mod p′

          Under the condition that 2ua<p and u=┌log m┐, the public value multiplying secret computation part 41 obtains the duplicate secret sharing value {a}Zp mod p and computes a transformed secret sharing value {a′}Zp(=2u×Zp{a}Zp) by a secret computation of public value multiplication (S41). Subsequent steps S42, S43, S45 and S46 are performed for every i that satisfies a condition that i<m. The modulus lower bit distribution part 42 determines a modulus lower bit sharing value

          [ri]Z2u  [Formula 28]

          by distributing u bits beginning with the 0-th bit of

          Z2u{a′}iZp mod 2u  [Formula 27]

          which is the share of an i-th party of the transformed modulus secret sharing value (S42). Note that the minus sign is not assigned to Zp but to Z2u. The modulus lower bit addition part 43 computes a lower bit sum value

          [Formula29]i<m[ri]<none/>Z2u<mprescripts/>Z2u<none/>

          by a secret computation by the adding circuit and designates the computation result as a linear secret sharing value of the quotient

          [q]Z2u  [Formula 30]

          (S43). The conversion processing part 44 performs a predetermined conversion processing, such as a conversion of mod 2→mod p′, on the linear secret sharing value of the quotient to determine a converted linear secret sharing value {q}Zp′ the quotient (S44). A specific process of the conversion of mod 2→mod p′ will be described in detail below.

          <Conversion mod 2→mod p (Steps 1 to 7)>

          Input: {a}2

          Output: {a}p′

          Step 1: generate two types of secret sharing values {r}2 and {r}p′ of a plain text containing a random number r

          Step 2: that is, each i-th party generates a 1-bit random number r, and determines secret sharing values {ri}2 and {ri}p′ of two different types of {•}2 and {•}p′

          Step 3: compute

          {r}2:=⊕i<n{ri}2

          {r}p′:=⊕i<n{ri}p′  [Formula 31]

          by a secret computation. Note that the combination of a circle and a plus symbol represents an XOR operation, and n denotes the number of parties.

          Step 4: Compute

          {a⊕r}2  [Formula 32],

          publish the computation result, and determine

          a′:=a⊕r  [Formula 33]

          Step 5: Compute

          {a}p′:=a′⊕{r}p′  [Formula 34]

          Step 6: that is,

          a⊕r=0 If, {a}p′:={r}p′  [Formula 35]

          Step 7:

          a⊕r=1 If, {a}p′:=1−{r}p′  [Formula 36]

          The retransformation part 45 then computes a retransformed secret sharing value mod p°

          {a′p′}iZp′  [Formula 38]

          of a transformed secret sharing value

          {a′}iZp  [Formula 37]

          (S45). Note that, from the formula (1), the following formula holds.

          [Formula39]app2ua+qp

          The modulus differential part 46 obtains the retransformed secret sharing value and the converted linear secret sharing value of the quotient, performs a differential computation

          2−u×Zp′({a′p′}Zp′Zp′p{q}Zp′)  [Formula 40]

          by a secret computation of addition and public value multiplication, and outputs the result (S46).

          [Modification 2]

          In the following, a secret modulus conversion device 4A, which is a modification of the secret modulus conversion device 4 according to the third embodiment, will be described with reference to FIG. 10. FIG. 10 is a block diagram showing a configuration of the secret modulus conversion device 4A according to this modification. As shown in FIG. 10, in addition to the components described above, the secret modulus conversion device 4A according to this modification comprises the linear duplicate conversion device 2 that is configured to convert the linear secret sharing value described above into a duplicate secret sharing value. Since the secret modulus conversion device 4A comprises the linear duplicate conversion device 2, the secret modulus conversion device 4A can perform secret modulus conversion even if the input to the device is a linear secret sharing value. The secret modulus conversion device 4A according to this modification may perform the secret modulus conversion processing after converting the (k, n)-linear secret sharing into the (k, k)-duplicate secret sharing or perform the secret modulus conversion processing after converting the (k, n)-linear secret sharing into the (k, n)-duplicate secret sharing.

          <Main Point of Invention>

          A main point of the present invention is that both the bit decomposition and the modulus conversion are closely related to the share quotient computation, and a concept of quotient transfer is created as an alternative to the conventional computation using a |p|-bit adding circuit to enable computation using a log m-bit circuit that does not depend on |p|. The quotient transfer is a novel technique provided by the present invention that involves shifting a quotient that would otherwise appear as a higher bit of the addition result to a lower bit of the addition result by taking advantage of the properties the integer remainder. The traffic is markedly improved in efficiency from O(|p|2) to O(1) for |p| for the share quotient computation, the bit decomposition and the modulus conversion. For example, in the case where |p|=31, and l=2 (that is, a 31-bit integer stores 2-bit data), the processing speed is approximately 2600 times higher than the conventional fastest implementation (see Reference non-patent literature 2, Drawing “shiftR”).

          (Reference non-patent literature 2) D. Bogdanov, M. Niitsoo, T. Toft, and J. Willemson. High-performance secure multi-party computation for data mining applications. Int. J. Inf. Sec., 11(6): 403-418, 2012.

          The various processings described above can be performed not only sequentially in the order described above but also in parallel with each other or individually as required or depending on the processing power of the device that performs the processings. Furthermore, of course, other various modifications can be appropriately made to the processings without departing form the spirit of the present invention.

          In the case where the configurations described above are implemented by a computer, the specific processings to be performed by the functions of each device are described in a program. The computer executes the program to implement the processing functions described above.

          The program that describes the specific processings can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any type of recording medium, such as a magnetic recording device, an optical disk, a magneto-optical recording medium or a semiconductor memory.

          The program may be distributed by selling, transferring or lending a portable recording medium, such as a DVD or a CD-ROM, in which the program is recorded, for example. Alternatively, the program may be distributed by storing the program in a storage device in a server computer and transferring the program from the server computer to other computers via a network.

          The computer that executes the program first temporarily stores, in a storage device thereof, the program recorded in a portable recording medium or transferred from a server computer, for example. When performing the processings, the computer reads the program from the recording medium and performs the processings according to the read program. In an alternative implementation, the computer may read the program directly from the portable recording medium and perform the processings according to the program. As a further alternative, the computer may perform the processings according to the program each time the computer receives the program transferred from the server computer. As a further alternative, the processings described above may be performed on an application service provider (ASP) basis, in which the server computer does not transmit the program to the computer, and the processings are implemented only through execution instruction and result acquisition. The programs according to the embodiments of the present invention include a quasi-program, which is information to be processed by a computer (such as data that is not a direct instruction to a computer but has a property that defines the processings performed by the computer).

          Although the devices according to the embodiments of the present invention have been described as being implemented by a computer executing a predetermined program, at least part of the specific processing may be implemented by hardware.

          Read more
          PatSnap Solutions

          Great research starts with great data.

          Use the most comprehensive innovation intelligence platform to maximise ROI on research.

          Learn More

          Patent Valuation

          $

          Reveal the value <>

          22.82/100 Score

          Market Attractiveness

          It shows from an IP point of view how many competitors are active and innovations are made in the different technical fields of the company. On a company level, the market attractiveness is often also an indicator of how diversified a company is. Here we look into the commercial relevance of the market.

          76.0/100 Score

          Market Coverage

          It shows the sizes of the market that is covered with the IP and in how many countries the IP guarantees protection. It reflects a market size that is potentially addressable with the invented technology/formulation with a legal protection which also includes a freedom to operate. Here we look into the size of the impacted market.

          70.59/100 Score

          Technology Quality

          It shows the degree of innovation that can be derived from a company’s IP. Here we look into ease of detection, ability to design around and significance of the patented feature to the product/service.

          92.0/100 Score

          Assignee Score

          It takes the R&D behavior of the company itself into account that results in IP. During the invention phase, larger companies are considered to assign a higher R&D budget on a certain technology field, these companies have a better influence on their market, on what is marketable and what might lead to a standard.

          16.0/100 Score

          Legal Score

          It shows the legal strength of IP in terms of its degree of protecting effect. Here we look into claim scope, claim breadth, claim quality, stability and priority.

          Citation

          Title Current Assignee Application Date Publication Date
          Cryptographic system by blocs of binery data MUSYCK; EMILE P.,MUSYCK; CHRISTIAN E. 27 April 1990 23 April 1991
          Method for reducing a value modulo a shared secret INTERNATIONAL BUSINESS MACHINES CORPORATION 24 October 2002 19 June 2003
          Cryptographic key exchange method using efficient elliptic curve U.S. GOVERNMENT AS REPRESENTED BY THE NATIONAL SECURITY AGENCY, THE 09 August 2001 31 January 2006
          See full citation <>

          More like this

          Title Current Assignee Application Date Publication Date
          Method and system for authenticating and preserving the integrity of communication, secured by secret sharing SECRET DOUBLE OCTOPUS LTD. 24 February 2016 01 September 2016
          Authentication system, authentication method, and program NEC CORPORATION 12 May 2017 16 November 2017
          Key agreement protocol INFOSEC GLOBAL INC. 26 May 2015 01 December 2016
          Ciphertext management method, ciphertext management device, and program REAL TECHNOLOGY INC.,OZAKI HIROYUKI 18 January 2017 27 July 2017
          Personal device security using elliptic curve cryptography for secret sharing NCHAIN HOLDINGS LIMITED 14 February 2017 31 August 2017
          Cryptographic operations employing non-linear share encoding for protecting from external monitoring attacks CRYPTOGRAPHY RESEARCH, INC. 23 June 2017 28 December 2017
          暗号システム、データ保存システム、それに用いる装置および方法 日本電気株式会社 12 November 2013 05 January 2017
          Method for generating a secret or a key in a network ROBERT BOSCH GMBH 12 October 2016 20 April 2017
          Shared secret vault for applications with single sign on CITRIX SYSTEMS, INC. 30 December 2015 07 July 2016
          Systems and methods for data aggregation based on one-time pad based sharing GOOGLE LLC 08 August 2017 15 February 2018
          Secret calculation system, secret calculation device, and secret calculation method NEC CORPORATION 29 August 2016 09 March 2017
          Mismatch detection method, mismatch detection system, mismatch detection device and program therefor NIPPON TELEGRAPH AND TELEPHONE CORPORATION 01 February 2016 11 August 2016
          Encryption scheme using multiple parties ABB SCHWEIZ AG 13 July 2016 19 January 2017
          Secure computation device, method therefor, and program NIPPON TELEGRAPH AND TELEPHONE CORPORATION 20 July 2016 26 January 2017
          Authentication and key agreement with perfect forward secrecy QUALCOMM INCORPORATED 03 March 2016 06 October 2016
          Method of securing data using threshold cryptography NORD-SYSTEMS SP. Z O.O. 10 February 2015 18 August 2016
          Device and method for administering a digital escrow server INRIA INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE 04 March 2016 09 September 2016
          System and method for managing vehicle DENA CO., LTD. 19 February 2016 27 October 2016
          Encryption of community-based security information based on time-bound cryptographic keys HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP 29 January 2016 03 August 2017
          See all similar patents <>

          PatSnap Solutions

          PatSnap solutions are used by R&D teams, legal and IP professionals, those in business intelligence and strategic planning roles and by research staff at academic institutions globally.

          PatSnap Solutions
          Search & Analyze
          The widest range of IP search tools makes getting the right answers and asking the right questions easier than ever. One click analysis extracts meaningful information on competitors and technology trends from IP data.
          Business Intelligence
          Gain powerful insights into future technology changes, market shifts and competitor strategies.
          Workflow
          Manage IP-related processes across multiple teams and departments with integrated collaboration and workflow tools.
          Contact Sales